How An XSS in (Hipchat Native OSX application) can lead to remote code execution. Two issues exist in Atlassian’s HipChat desktop client that allow an attacker to retrieve files or execute remote code...

The mobile version of the flicker site accept input from the user controlled data and includes it in the HTML output without proper encoding. This is similar to the bug posted at: Abusing CORS for an XSS on Flickr which is actaully really similar to a bug I found on facebook mobile a few years ago: Facebook XSS via CORS

Facebook allows developers to build applications using the “Canvas“. Because the canvas apps run on the facebook domain they use a “Sandbox”. This is a subset of HTML called FBML and a limited javascript set called FBJS. The sandbox is basically used to try prevent an attacker form being able to run malicious code.